US20030079136A1 - Security framework - Google Patents
Security framework Download PDFInfo
- Publication number
- US20030079136A1 US20030079136A1 US10/175,942 US17594202A US2003079136A1 US 20030079136 A1 US20030079136 A1 US 20030079136A1 US 17594202 A US17594202 A US 17594202A US 2003079136 A1 US2003079136 A1 US 2003079136A1
- Authority
- US
- United States
- Prior art keywords
- user
- application
- access
- permission
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Definitions
- This invention relates to network-based security.
- Computer networks allow computer users to share information and data files.
- a user when logging into a computer network, is typically required to enter a user I.D. and password that identifies the user, grants the user access, and assigns the user rights to resources available on the network.
- a process residing on a server, regulates the application functionality and network access of a user.
- An application permission configuration process assigns an application permission token to one or more application functionalities of an application running on the server.
- a user permission configuration process regulates the access a user has to the application permission tokens assigned by the application permission configuration process. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality.
- a database stores the application permission tokens of the application and the application rights of the user.
- the application permission configuration process includes a functionality configuration process for defining the application functionalities (e.g., a web-based process or a uniform resource locator available on a website).
- An application record maintenance process produces an application database record for the application running on the server.
- An application token record maintenance process produces an application token database record for each application permission token assigned to the application functionalities of the application running on the server.
- a user record maintenance process produces a user database record for the user.
- the database includes a network domain database (e.g., a Windows NT tm domain user and group database) and a security framework database (e.g., a SQL database).
- the application database records, application token database records, and user database records are stored on both the network domain database and the security framework database.
- a user enrollment process authenticates a newly-added user by requiring the newly-added user to prove their identity.
- An authenticity certificate is then produced for and provided to the newly-added user.
- This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting any data communicated between the user's computer and the server.
- a network authentication process authenticates a user upon login by comparing information encoded within the authenticity certificate to information stored on the database.
- the user enrollment process includes a user personal information input process that requires the newly-added user to provide personal information prior to the creation of their authenticity certificate.
- the user enrollment process also includes a manual verification process that requires an administrator to approve the personal information entered by the user.
- a role maintenance process maintains a user group such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process.
- a folder permission configuration process assigns a folder permission token to one or more folders within a directory structure.
- the user permission configuration process is configured to regulate the access of the user to these folder permission tokens assigned by the folder permission configuration process. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder.
- a folder token record maintenance process produces a folder token database record for each folder permission token assigned to the folders within a directory structure. These folders maybe a directory folder within the file directory of the server or a file transfer protocol (FTP) folder on an FTP server.
- FTP file transfer protocol
- a method for regulating the application functionality and network access of a user includes assigning an application permission token to one or more application functionalities of an application running on the server.
- the access that a user has to these application permission tokens is regulated.
- This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality.
- the application permission tokens of the application and the application access rights of the user are stored on a database.
- Assigning an application permission token includes defining the application functionalities.
- An application database record is produced for each application running on the server.
- An application token database record is produced for each application permission token assigned to the application functionalities of the application running on the server.
- a user database record is produced for each user of the server.
- Newly-added users are authenticated by requiring the newly-added users to prove their identify.
- An authenticity certificate is then produced for and provided to the newly-added user.
- the authenticity certificate identifies the newly-added user and includes a unique encryption key that encrypts any data communicated between the user's computer and the server.
- the user is authenticated upon login by comparing the information encoded within the authenticity certificate to the information stored on the database.
- Authenticating newly-added users further includes requiring the newly-added user to provide personal information prior to the creation of the authenticity certificate and requiring an administrator to approve the personal information entered by the user.
- a user group is produced such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process.
- a folder permission token is assigned to one or more folders within a directory structure. Regulating the access of a user is configured to regulate the access of a user to the folder permission tokens assigned by the assigning a folder permission token. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder.
- a folder token database record is produced for each folder permission token assigned to the folders within the directory structure.
- a computer program product which resides on a computer readable medium, has a plurality of instructions stored on it. When executed by the processor, these instructions cause the processor to assign an application permission token to one or more application functionalities of an application running on a server.
- the computer program product regulates the access of a user to the application permission tokens assigned by the assigning an application permission token. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality.
- Computer program products stores, on a database, the application permission tokens of the application and the application access rights of the user.
- Network security can be enhanced. By allowing an administrator to assign tokens to the various functionalities of an application, user access rights can be fine tuned to an enhanced level. By combining traditional logon procedures (i.e., user names and passwords) with authenticity certificates, network security can be further enhanced. By utilizing tokens to assign rights to individual folders within an FTP directory structure, the folder access can also be refined and enhanced.
- FIG. 1 is a block diagram of a network security process
- FIG. 2 is a flow chart depicting a method for providing network security.
- a process 10 regulates the application functionality and network access of a user 12 .
- Process 10 resides on a storage device 14 on server 16 .
- This storage device 14 can be a hard disk drive, a tape drive, an optical drive a RAID array, a random access memory (RAM), or a read-only memory (ROM).
- Distributed computing network 18 can be the Internet, an intranet, a local area network, an extranet, or any other form of network environment.
- Process 10 is typically administered by an administrator 20 using a graphical user interface (not shown) running on a remote computer 22 , which is also connected to network 18 .
- the graphical user interface can be a web browser, such as Microsoft, Internet ExplorerTM or Netscape NavigatorTM.
- a network user 12 typically accesses process 10 and the data and resources stored on storage device 14 through a remote computer 24 that is also connected to network 18 .
- Process 10 is typically a web-enabled process that is accessible through a web browser. Since web browsers are cross-platform compatible, by configuring process 10 so that it is a web-based process, any hardware compatibility issues concerning remote computers 22 , 24 are reduced.
- Server 16 runs web server software, such as Microsoft Internet Information Server tm, to facilitate process 10 operation in a web environment.
- Process 10 includes an application permission configuration process 26 that allows administrator 20 to assign an application permission token to one or more application functionalities 32 , 34 , 36 of an application 28 , 30 running on server 16 .
- These application functionalities 32 , 34 , 36 can be any process or sub-process of an application. Additionally, if the application is a web-based application usable through a web-browser, a functionality could be an embedded link, such a URL. Examples of these application functionalities 32 , 34 , 36 are: a print file command; a save file command; a open file command; a link to a remote website; a report generation command; a report review command; a database query; for example.
- Application permission tokens “at1”, “at2”, and “at3” are unique identifiers used by process 10 to identify each application functionality of the application to which they are assigned.
- “at1” may be an application permission token that corresponds to a database query command on a web page
- “at2” may be an application permission token that corresponds to a compiled report command on a web page
- “at3” may be an application permission token that corresponds to a print report command on a web page, such that each of these commands represents a unique functionality of the application.
- Application functionality 32 , 34 , 36 can be individual applets or links within a web page, or commands and procedures available in non-web-base applications, such as word processors, spreadsheets, databases, etc.
- an application functionality can be the new file command in a word processor, the print file command in a word processor, the recalculate command in a spreadsheet, the edit query command in a database, the redraw command in a graphics program, etc.
- an application functionality can be a link (i.e., URL) that allows a user to access another web page or web-based process, or the application functionality can be the web-based process itself.
- a link on that homepage to an employee name directory web page may be an application functionality that is restricted, via permission tokens, so that only low-level managers (and above) can access this page.
- an employee search query box that allows users to search the employee records to determine various pieces of semi-confidential information (such as starting dates, home addresses, etc.).
- this search command within this employee name directory web page may be configured as a separate application functionality and, therefore, further restricted (via permission tokens) so that only mid-level managers (and above) can execute that search command and view the search results.
- this employee name directory web page there is a separate link that goes to an employee salary webpage that lists the salary of each employee within the company. Obviously, this is highly confidential information that should only be made available to high level managers within the company. Therefore, the link to this employee salary webpage is a separate application functionality that is further restricted, via permission tokens, so that only high level managers have access to this sensitive information.
- a functionality configuration process 38 incorporated into application permission configuration process 26 is used by administrator 20 to assign application permission tokens to various application functionalities of the application being configured.
- Administrator 20 can assign application permission tokens to as many or as few application functionalities of the application. Accordingly, administrator 20 can fully control and configure the access intricacy level associated with an application.
- Process 10 maintains a database 40 , which typically resides on storage device 14 that specifies each application 28 , 30 and application permission token “at1”, “at2”, and “at3”, configured by administrator 20 .
- database 40 is modified to include a record for that newly-configured application. Information included in this record can be information concerning the manufacturer of the program, the name of the program, the version of the program, the date configured, etc. Additionally, each application permission token “at1”, “at2”, and “at3”, added for any application 28 , 30 will have its own database record.
- the nomenclature of these database records is such that the name of the record for an application permission token references the application to which that application permission token belongs. For example, if the database application record for an application installed on server 16 is “app1”, the database record for the first application permission token for that application may be “app1t1”. Examples of the information included in the database record for an application permission token include the name of the application permission token, the application to which it is associated, the application functionality to which it is associated, etc. Examples of database 40 are a SQLTM database, an OracleTM database, a SybaseTM database, an AccessTM database, etc.
- Process 10 includes an application record maintenance process 42 for producing the database records for each application (e.g., 28 , 30 ) configured by administrator 20 . Additionally, an application token record maintenance process 44 produces the database record for each application permission token (e.g., “at1”, “at2”, and “at3”) configured by administrator 20 .
- Database 46 is the network domain database of the network operating system (NOS) that runs on server 16 and allows communication over network 18 .
- NOS network operating system
- network operating systems such as Windows NT ServerTM, Windows 2000 Advanced ServerTM, and Novell NetwareTM, use an internal database to administer these network operating systems.
- these databases include database records for network users, services installed by the network, applications available on the network, user groups, security rights, etc.
- This database 46 that is produced and maintained by the network operating system running on server 16 is also modified by process 10 each time an application 28 , 30 or an application permission token “at1”, “at2”, “at3” is configured by administrator 20 .
- database 46 mirrors the information included in database 40 .
- database 40 is a specialized database produced and maintained by process 10
- the individual records in database 40 contain more information than the corresponding records in database 46 .
- an application record is produced in database 46 .
- an application permission token database record is also produced in database 46 .
- application token database records are configured as groups in databases 40 and 46 and any user who is a member of these groups has access to that application permission token and, therefore, the application functionality associated with that application permission token.
- process 10 includes a user record maintenance process 48 that allows administrator 20 to add and delete (i.e., manage) users 12 from process 10 .
- a user database record is produced in databases 40 and 46 .
- each of these databases includes a record for each application permission token configured by administrator 20 .
- a role maintenance process 50 allows for the production of such user groups. Through role maintenance process 50 , administrator 20 can define a user group in which its members all have equivalent permission to various application permission tokens (e.g., “at1”, “at2”, and “at3”). Therefore, by making a user 12 a member of a user group produced by role maintenance process 50 , that user will have the rights of the group as defined by administrator 20 , namely access to the specific application permission tokens defined by administrator 20 .
- process 10 can also control a user's access to various folders and sub-folders within a directory structure.
- a folder permission configuration process 52 assigns a folder permission token (e.g., “ft1”) to one or more folders 54 within a directory structure 55 .
- Directory structure 55 may be the file structure of a file transfer protocol a (FTP) server or may be the folders or directories of a local hard drive or remote server drive.
- FTP file transfer protocol
- a user permission configuration process 54 regulates the access that user 12 has to the application and/or folder permission tokens (which were assigned by administrator 20 using either application permission configuration process 26 or folder permission configuration process 52 ). This, in turn, regulates the access that user 12 has to the related application functionalities and/or folders.
- user permission configuration process 54 accesses the user database record for that user to determine if they have access to the tokens associated with these functionalities and/or folders.
- these can be discrete access rights to specific tokens or can be membership in a group in which all members of the group have defined access rights.
- user 12 does not have the proper application access rights (for a specific application functionality) or folder access rights (for a specific folder in a directory structure) that user's access to the application functionalities and/or folder contents respectively will be denied.
- a folder token record maintenance process 56 updates databases 40 and 46 to include a folder token database record for each folder permission token (e.g., “ftl”) assigned by administrator 20 .
- a user enrollment process 58 that requires the user to prove their identity when they first log into server 16 .
- administrator 20 adds user 12
- the administrator assigns them a user name and a temporary password.
- user 12 subsequently logs into process 10 using that user name and temporary password, that login itself can serve as proof of their identity.
- user 12 may be required (by user enrollment process 58 ) to provide sensitive information known only to the user (e.g., the user's social security number, mother's maiden name, favorite pet's name, etc.).
- Authenticity certificate 60 is typically stored on the remote computer 24 that user 12 uses to access server 16 and process 10 .
- Authenticity certificate 60 identifies the user (typically using some form of serial number) and may include a unique encryption key (not shown) for encrypting any data communicated between the user's computer 22 and server 16 . Therefore, any future communications between these computers will utilize encrypted data.
- this authenticity certificate 60 is produced for newly-added user 12 , that user may be required to enter personal information about themselves in order to complete the enrollment process. If this personal information is desired/required by administrator 20 , a user personal information input process 62 requires user 12 to enter this information upon first logging into server 16 . Examples of this information are first name, middle name, last name, home address, city, state, zip, home phone number, date of birth, date of employment, job title, etc.
- administrator 20 may configure user personal information input process 62 so that the authenticity certificate 60 is not produced until after the user submits the personal information and it is accepted.
- a manual verification process 64 may require that the personal information entered by user 12 be approved by administrator 20 prior to user 12 completing the enrollment process. Therefore, user 12 may not receive the authenticity certificate 60 until not only the new user enters their personal information, but that information is reviewed and approved by administrator 20 .
- the authenticity certificate 60 will be provided to user 12 .
- this authenticity certificate 60 is stored locally on user's computer 22 .
- user 12 When user 12 logs into server 16 , user 12 will be prompted for their user name and password.
- process 10 Upon acceptance of the user name and password by server 16 , process 10 , and the network operating system running on server 16 , the user database record for user 12 will be accessed from database 40 and/or 46 .
- these user database records typically identify the user by a unique serial number that is also included on that user's certificate of authenticity 60 . Therefore once process 10 obtains the serial number for user 12 from databases 40 and/or 46 , process 10 requests a copy of the certificate stored locally on user's computer 22 . A network authentication process 57 then compares the serial number encoded within certificate of authenticity 60 to the serial number in that user's database record.
- administrator 20 may import a text file (not shown) from a remote computer (not shown) such as a main frame. This would enable process 10 to be quickly configured such that the access rights specified by process 10 are identical to the access rights of the users of a process running on a remote computer, thus allowing for rapid system deployment and configuration.
- a session management process 66 polices and verifies the integrity of the sessions (or connections) between the users (e.g., user 12 ) and process 10 .
- Session management process 66 includes an inactivity timer 68 for monitoring the amount of time that a session has been inactive (e.g., no data or information entered by the user). In the event that the session has been inactive for greater than a defined period of time (as defined by administrator 20 ), that session is disconnected. Therefore, if disconnected, user 12 will be required to reestablish the session before they may continue to use process 10 .
- the length of this defined period of time may be varied depending on the particular application that the user is working on.
- Session management process 66 also includes an point-in-time timeout process 70 for disconnecting sessions at an administrator-defined point in time. This enables all sessions (or a portion thereof) to be disconnected at a specific time of day, thus allowing, for example, the performance of maintenance tasks on process 10 or server 16 .
- session management process 66 includes a session restriction process 72 that prevents multiple users from logging into process 10 and/or server 16 using a single user ID.
- a session restriction process 72 that prevents multiple users from logging into process 10 and/or server 16 using a single user ID.
- server 16 that user is prompted to enter their user name and password.
- process 10 Upon acceptance of the user name and password by server 16 , process 10 , and the network operating system running on server 16 , the user database record for user 12 is accessed from database 40 and/or 46 .
- a session record is created (in database 40 ) for the user's current session.
- Written into this session record is a unique browser ID that is obtained from the web browser that user 12 is using to access process 10 .
- This session record uniquely identifies the computer currently being used by user 12 and, therefore, uniquely identifies that user's current session. Further, each time a new session is established for user 12 , a new session record is created and any previously established session is suspended.
- Session restriction process 72 may be interfaced with user record maintenance process 48 so that in the event that multiples users log in (or attempt to log in) using a single user ID, user record maintenance process 48 disables or deletes that user ID. This is done on the premise that the confidentiality of that user ID was compromised and, therefore, a new user ID should be created for that user.
- FIG. 2 a method 100 for regulating the application functionality and network access of a user is shown.
- An application permission token is assigned 102 to one or more application functionalities of an application running on a server.
- the access rights of the user are defined in that a user who has access to an application permission token is granted access to its related application functionality.
- These application permission tokens of the application and the application access rights of the user are stored 106 on a database.
- An administrator defines 108 the application functionalities of an application.
- An application database record is maintained 110 for each application running on the server. Further, an application database record is also maintained 112 for each application permission token assigned to the application functionalities of the application running on the server. Additionally, a user database record is maintained for each user who has access to the system.
- Newly-added users are authenticated 116 by requiring the newly-added user to prove their identity. Once their identity is proven, an authenticity certificate is produced for and provided to 118 the newly-added user. This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting 120 the data communicated between the user's computer and the server. A user is authenticated 122 upon log in by comparing the information encoded within the authenticity certificate to information stored on the database.
- a newly-added user may be required 124 to provide personal information prior to the creation of the authenticity certificate. Additionally, the administrator may require 126 that the personal information entered by the user be approved prior to the creation of the authenticity certificate.
- a user group is maintained 128 such that all members of the user group have equivalent access to the permission tokens assigned by the administrator.
- a folder permission token is assigned 130 to one or more folders within a directory structure. These folder permission tokens are then used to regulate the access of a user to the particular folders within the directory structure. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder.
- a folder token database record is produced 132 for each folder permission token assigned to the folders within the directory structure.
Abstract
Description
- This application claims the priority of U.S. Provisional Patent Application No. 60/313,954, filed on Aug. 21, 2001, and entitled “Web Security Framework”.
- This invention relates to network-based security.
- Computer networks (e.g., local area networks, wide area networks, intranets, extranets, the internet, etc.) allow computer users to share information and data files. A user, when logging into a computer network, is typically required to enter a user I.D. and password that identifies the user, grants the user access, and assigns the user rights to resources available on the network.
- As the level of access granted to users typically varies from user to user, the resources, data files, and applications available to the individual users will also vary.
- Computer networks that provide access to sensitive data often use data encryption and enhanced security procedures to prevent unauthorized access to the sensitive data and system resources of the network.
- According to an aspect of this invention, a process, residing on a server, regulates the application functionality and network access of a user. An application permission configuration process assigns an application permission token to one or more application functionalities of an application running on the server. A user permission configuration process regulates the access a user has to the application permission tokens assigned by the application permission configuration process. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. A database stores the application permission tokens of the application and the application rights of the user.
- One or more of the following features may also be included. The application permission configuration process includes a functionality configuration process for defining the application functionalities (e.g., a web-based process or a uniform resource locator available on a website). An application record maintenance process produces an application database record for the application running on the server. An application token record maintenance process produces an application token database record for each application permission token assigned to the application functionalities of the application running on the server. A user record maintenance process produces a user database record for the user.
- The database includes a network domain database (e.g., a Windows NT tm domain user and group database) and a security framework database (e.g., a SQL database). The application database records, application token database records, and user database records are stored on both the network domain database and the security framework database.
- A user enrollment process authenticates a newly-added user by requiring the newly-added user to prove their identity. An authenticity certificate is then produced for and provided to the newly-added user. This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting any data communicated between the user's computer and the server. A network authentication process authenticates a user upon login by comparing information encoded within the authenticity certificate to information stored on the database.
- The user enrollment process includes a user personal information input process that requires the newly-added user to provide personal information prior to the creation of their authenticity certificate. The user enrollment process also includes a manual verification process that requires an administrator to approve the personal information entered by the user.
- A role maintenance process maintains a user group such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process.
- A folder permission configuration process assigns a folder permission token to one or more folders within a directory structure. The user permission configuration process is configured to regulate the access of the user to these folder permission tokens assigned by the folder permission configuration process. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder. A folder token record maintenance process produces a folder token database record for each folder permission token assigned to the folders within a directory structure. These folders maybe a directory folder within the file directory of the server or a file transfer protocol (FTP) folder on an FTP server.
- According to a further aspect of this invention, a method for regulating the application functionality and network access of a user includes assigning an application permission token to one or more application functionalities of an application running on the server. The access that a user has to these application permission tokens is regulated. This, in turn, defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. The application permission tokens of the application and the application access rights of the user are stored on a database.
- One or more of the following features maybe included. Assigning an application permission token includes defining the application functionalities. An application database record is produced for each application running on the server. An application token database record is produced for each application permission token assigned to the application functionalities of the application running on the server. A user database record is produced for each user of the server. Newly-added users are authenticated by requiring the newly-added users to prove their identify. An authenticity certificate is then produced for and provided to the newly-added user. The authenticity certificate identifies the newly-added user and includes a unique encryption key that encrypts any data communicated between the user's computer and the server. The user is authenticated upon login by comparing the information encoded within the authenticity certificate to the information stored on the database. Authenticating newly-added users further includes requiring the newly-added user to provide personal information prior to the creation of the authenticity certificate and requiring an administrator to approve the personal information entered by the user.
- A user group is produced such that all members of the user group have equivalent access to the permission tokens assigned by the application permission configuration process.
- A folder permission token is assigned to one or more folders within a directory structure. Regulating the access of a user is configured to regulate the access of a user to the folder permission tokens assigned by the assigning a folder permission token. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder. A folder token database record is produced for each folder permission token assigned to the folders within the directory structure.
- According to a further aspect of this invention, a computer program product, which resides on a computer readable medium, has a plurality of instructions stored on it. When executed by the processor, these instructions cause the processor to assign an application permission token to one or more application functionalities of an application running on a server. The computer program product regulates the access of a user to the application permission tokens assigned by the assigning an application permission token. This defines the application access rights of the user, such that a user who has access to an application permission token is granted access to its related application functionality. Computer program products stores, on a database, the application permission tokens of the application and the application access rights of the user.
- One or more advantages can be provided from the above. Network security can be enhanced. By allowing an administrator to assign tokens to the various functionalities of an application, user access rights can be fine tuned to an enhanced level. By combining traditional logon procedures (i.e., user names and passwords) with authenticity certificates, network security can be further enhanced. By utilizing tokens to assign rights to individual folders within an FTP directory structure, the folder access can also be refined and enhanced.
- The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the invention will be apparent from the description and drawings, and from the claims.
- FIG. 1 is a block diagram of a network security process; and
- FIG. 2 is a flow chart depicting a method for providing network security.
- Referring to FIG. 1, a
process 10 regulates the application functionality and network access of auser 12.Process 10 resides on astorage device 14 onserver 16. Thisstorage device 14 can be a hard disk drive, a tape drive, an optical drive a RAID array, a random access memory (RAM), or a read-only memory (ROM). Distributedcomputing network 18 can be the Internet, an intranet, a local area network, an extranet, or any other form of network environment.Process 10 is typically administered by anadministrator 20 using a graphical user interface (not shown) running on a remote computer 22, which is also connected to network 18. The graphical user interface can be a web browser, such as Microsoft, Internet Explorer™ or Netscape Navigator™. Anetwork user 12 typically accessesprocess 10 and the data and resources stored onstorage device 14 through aremote computer 24 that is also connected to network 18. -
Process 10 is typically a web-enabled process that is accessible through a web browser. Since web browsers are cross-platform compatible, by configuringprocess 10 so that it is a web-based process, any hardware compatibility issues concerningremote computers 22, 24 are reduced.Server 16 runs web server software, such as Microsoft Internet Information Server tm, to facilitateprocess 10 operation in a web environment. -
Process 10 includes an applicationpermission configuration process 26 that allowsadministrator 20 to assign an application permission token to one ormore application functionalities application server 16. Theseapplication functionalities application functionalities process 10 to identify each application functionality of the application to which they are assigned. For example, “at1” may be an application permission token that corresponds to a database query command on a web page, “at2” may be an application permission token that corresponds to a compiled report command on a web page, and “at3” may be an application permission token that corresponds to a print report command on a web page, such that each of these commands represents a unique functionality of the application. By regulating the access that auser 12 has to these application permission tokens “at1”, “at2” and “at3”, the users' access to thevarious application functionalities application 28 can be controlled. - The individual application functionalities of the
application 28 are configured byadministrator 20 using computer 22.Application functionality - Concerning web-based applications and web pages, an application functionality can be a link (i.e., URL) that allows a user to access another web page or web-based process, or the application functionality can be the web-based process itself. For example, the intranet homepage of a company's internal website may be accessible by all employees. However, a link on that homepage to an employee name directory web page may be an application functionality that is restricted, via permission tokens, so that only low-level managers (and above) can access this page. On this employee name directory web page is an employee search query box that allows users to search the employee records to determine various pieces of semi-confidential information (such as starting dates, home addresses, etc.). The use of this search command within this employee name directory web page may be configured as a separate application functionality and, therefore, further restricted (via permission tokens) so that only mid-level managers (and above) can execute that search command and view the search results. Further, assume that also within this employee name directory web page, there is a separate link that goes to an employee salary webpage that lists the salary of each employee within the company. Obviously, this is highly confidential information that should only be made available to high level managers within the company. Therefore, the link to this employee salary webpage is a separate application functionality that is further restricted, via permission tokens, so that only high level managers have access to this sensitive information.
- During initial configuration of an
application 28 byadministrator 20, afunctionality configuration process 38 incorporated into applicationpermission configuration process 26 is used byadministrator 20 to assign application permission tokens to various application functionalities of the application being configured.Administrator 20 can assign application permission tokens to as many or as few application functionalities of the application. Accordingly,administrator 20 can fully control and configure the access intricacy level associated with an application. -
Process 10 maintains adatabase 40, which typically resides onstorage device 14 that specifies eachapplication administrator 20. Each time an application is initially configured byadministrator 20,database 40 is modified to include a record for that newly-configured application. Information included in this record can be information concerning the manufacturer of the program, the name of the program, the version of the program, the date configured, etc. Additionally, each application permission token “at1”, “at2”, and “at3”, added for anyapplication - Typically, the nomenclature of these database records is such that the name of the record for an application permission token references the application to which that application permission token belongs. For example, if the database application record for an application installed on
server 16 is “app1”, the database record for the first application permission token for that application may be “app1t1”. Examples of the information included in the database record for an application permission token include the name of the application permission token, the application to which it is associated, the application functionality to which it is associated, etc. Examples ofdatabase 40 are a SQL™ database, an Oracle™ database, a Sybase™ database, an Access™ database, etc.Process 10 includes an applicationrecord maintenance process 42 for producing the database records for each application (e.g., 28, 30) configured byadministrator 20. Additionally, an application tokenrecord maintenance process 44 produces the database record for each application permission token (e.g., “at1”, “at2”, and “at3”) configured byadministrator 20. - In addition to
database 40, which is a stand-alone database produced and maintained byprocess 10, asecond database 46 is also modified and maintained byprocess 10.Database 46 is the network domain database of the network operating system (NOS) that runs onserver 16 and allows communication overnetwork 18. Specifically, network operating systems, such as Windows NT Server™, Windows 2000 Advanced Server™, and Novell Netware™, use an internal database to administer these network operating systems. Typically, these databases include database records for network users, services installed by the network, applications available on the network, user groups, security rights, etc. Thisdatabase 46 that is produced and maintained by the network operating system running onserver 16 is also modified byprocess 10 each time anapplication administrator 20. Typically,database 46 mirrors the information included indatabase 40. However, beingdatabase 40 is a specialized database produced and maintained byprocess 10, the individual records indatabase 40 contain more information than the corresponding records indatabase 46. Accordingly, each time anapplication process 10 byadministrator 20, an application record is produced indatabase 46. Additionally, each time an application permission token “at1”, “at2”, “at3” is configured inprocess 10 byadministrator 20, an application token database record is also produced indatabase 46. Typically, application token database records are configured as groups indatabases - In addition to configuring applications and permission tokens “at1”, “at2”, “at3”, the administrator also configures the
individual users 12 ofprocess 10. The users are configured so that a user's access to theapplication functionalities application 28 can be regulated. Accordingly,process 10 includes a userrecord maintenance process 48 that allowsadministrator 20 to add and delete (i.e., manage)users 12 fromprocess 10. Eachtime administrator 20 produces auser 12 onprocess 10, a user database record is produced indatabases administrator 20. Further, as stated above, by granting a user access to these application permission tokens “at1”, “at2”, “at3”,user 12 gains access to the application functionalities associated with each one of these tokens. Therefore, since each database record concerning an application permission token is configured as a group, by adding a user (i.e., making them a member) to one of these groups, that user would have access to that application permission token and, therefore, the functionality related to that application permission token. In the event that a user's access is changed, this user can be added to or removed from the database records (i.e., groups) of each application permission token via userrecord maintenance process 48. - Typically, similarly situated users are granted identical access rights. For example, it is not uncommon for all new employees at a company to be granted only basic access rights, while mid-level management has enhanced rights, upper level management has superior rights, and administrators have complete access. Accordingly, it is desirable to be able to configure each of these various levels of access rights as a separate group, such that all the members of the group have the same access rights. This allows
administrator 20 to quickly configure users by adding or removing them from these user groups. Arole maintenance process 50 allows for the production of such user groups. Throughrole maintenance process 50,administrator 20 can define a user group in which its members all have equivalent permission to various application permission tokens (e.g., “at1”, “at2”, and “at3”). Therefore, by making a user 12 a member of a user group produced byrole maintenance process 50, that user will have the rights of the group as defined byadministrator 20, namely access to the specific application permission tokens defined byadministrator 20. - In addition to the above-described ways in which
process 10 controls a user's access to various application functionalities,process 10 can also control a user's access to various folders and sub-folders within a directory structure. A folder permission configuration process 52 assigns a folder permission token (e.g., “ft1”) to one ormore folders 54 within adirectory structure 55.Directory structure 55 may be the file structure of a file transfer protocol a (FTP) server or may be the folders or directories of a local hard drive or remote server drive. - Regardless of the type of token assigned (i.e., an application permission token or a folder permission token), a user
permission configuration process 54 regulates the access thatuser 12 has to the application and/or folder permission tokens (which were assigned byadministrator 20 using either applicationpermission configuration process 26 or folder permission configuration process 52). This, in turn, regulates the access thatuser 12 has to the related application functionalities and/or folders. - Accordingly, each time a
user 12 tries to access anapplication functionality folder 54, userpermission configuration process 54 accesses the user database record for that user to determine if they have access to the tokens associated with these functionalities and/or folders. As explained above, these can be discrete access rights to specific tokens or can be membership in a group in which all members of the group have defined access rights. In the event thatuser 12 does not have the proper application access rights (for a specific application functionality) or folder access rights (for a specific folder in a directory structure) that user's access to the application functionalities and/or folder contents respectively will be denied. - As with the application permission tokens, each time a folder permission token is produced, a folder token
record maintenance process 56updates databases administrator 20. - Each time a new user is added, that newly-added user is authenticated by a
user enrollment process 58 that requires the user to prove their identity when they first log intoserver 16. Typically, whenadministrator 20 addsuser 12, the administrator assigns them a user name and a temporary password. Whenuser 12 subsequently logs intoprocess 10 using that user name and temporary password, that login itself can serve as proof of their identity. Additionally, upon logging in,user 12 may be required (by user enrollment process 58) to provide sensitive information known only to the user (e.g., the user's social security number, mother's maiden name, favorite pet's name, etc.). - Once
user 12 proves their identity to the level required byadministrator 20,user enrollment process 58 generates anauthenticity certificate 60 that is provided touser 12.Authenticity certificate 60 is typically stored on theremote computer 24 thatuser 12 uses to accessserver 16 andprocess 10.Authenticity certificate 60 identifies the user (typically using some form of serial number) and may include a unique encryption key (not shown) for encrypting any data communicated between the user's computer 22 andserver 16. Therefore, any future communications between these computers will utilize encrypted data. - Once this
authenticity certificate 60 is produced for newly-addeduser 12, that user may be required to enter personal information about themselves in order to complete the enrollment process. If this personal information is desired/required byadministrator 20, a user personalinformation input process 62 requiresuser 12 to enter this information upon first logging intoserver 16. Examples of this information are first name, middle name, last name, home address, city, state, zip, home phone number, date of birth, date of employment, job title, etc. - Alternatively,
administrator 20 may configure user personalinformation input process 62 so that theauthenticity certificate 60 is not produced until after the user submits the personal information and it is accepted. For example, amanual verification process 64 may require that the personal information entered byuser 12 be approved byadministrator 20 prior touser 12 completing the enrollment process. Therefore,user 12 may not receive theauthenticity certificate 60 until not only the new user enters their personal information, but that information is reviewed and approved byadministrator 20. - Once this personal information is entered by
user 12 and accepted byadministrator 20, theauthenticity certificate 60 will be provided touser 12. As stated above, thisauthenticity certificate 60 is stored locally on user's computer 22. Whenuser 12 logs intoserver 16,user 12 will be prompted for their user name and password. Upon acceptance of the user name and password byserver 16,process 10, and the network operating system running onserver 16, the user database record foruser 12 will be accessed fromdatabase 40 and/or 46. - As stated above, these user database records typically identify the user by a unique serial number that is also included on that user's certificate of
authenticity 60. Therefore onceprocess 10 obtains the serial number foruser 12 fromdatabases 40 and/or 46,process 10 requests a copy of the certificate stored locally on user's computer 22. Anetwork authentication process 57 then compares the serial number encoded within certificate ofauthenticity 60 to the serial number in that user's database record. - In the event that the certificate of
authenticity 60 does not exist, or the serial number encoded within the certificate of authenticity does not match the serial number assigned to that user,user 12 will be denied access toserver 16 andprocess 10. However, if the serial number stored on the user's database record matches the serial number encoded within the certificate ofauthenticity 60 stored on computer 22, thatuser 12 will be granted access toserver 16 and allowed to log in. At this point, the access rights (both application and folder), will be determined for that user by looking up the tokens (e.g., “at1”, “at2”, “at3” and “ft1”) assigned to that user. - In addition to defining the rights of
user 12 manually,administrator 20 may import a text file (not shown) from a remote computer (not shown) such as a main frame. This would enableprocess 10 to be quickly configured such that the access rights specified byprocess 10 are identical to the access rights of the users of a process running on a remote computer, thus allowing for rapid system deployment and configuration. - A
session management process 66 polices and verifies the integrity of the sessions (or connections) between the users (e.g., user 12) andprocess 10. -
Session management process 66 includes aninactivity timer 68 for monitoring the amount of time that a session has been inactive (e.g., no data or information entered by the user). In the event that the session has been inactive for greater than a defined period of time (as defined by administrator 20), that session is disconnected. Therefore, if disconnected,user 12 will be required to reestablish the session before they may continue to useprocess 10. The length of this defined period of time may be varied depending on the particular application that the user is working on. -
Session management process 66 also includes an point-in-time timeout process 70 for disconnecting sessions at an administrator-defined point in time. This enables all sessions (or a portion thereof) to be disconnected at a specific time of day, thus allowing, for example, the performance of maintenance tasks onprocess 10 orserver 16. - Additionally,
session management process 66 includes asession restriction process 72 that prevents multiple users from logging intoprocess 10 and/orserver 16 using a single user ID. As stated above, when a user logs intoserver 16, that user is prompted to enter their user name and password. Upon acceptance of the user name and password byserver 16,process 10, and the network operating system running onserver 16, the user database record foruser 12 is accessed fromdatabase 40 and/or 46. A session record is created (in database 40) for the user's current session. Written into this session record is a unique browser ID that is obtained from the web browser thatuser 12 is using to accessprocess 10. This session record uniquely identifies the computer currently being used byuser 12 and, therefore, uniquely identifies that user's current session. Further, each time a new session is established foruser 12, a new session record is created and any previously established session is suspended. - Therefore, assume that an unauthorized user (not shown) obtained the user name and password of an authorized
user 12 and also obtained a copy of that authorized user's certificate ofauthenticity 60. If the authorizeduser 12 is logged intoprocess 10 and the unauthorized user subsequently logs intoprocess 10, a new session record is generated for the unauthorized user (and the unauthorized user's computer browser) and the session record for the session previously established byuser 12 is deleted. This, in turn, results in the session ofuser 12 being terminated. Sinceuser 12 is now prevented from any further use ofprocess 10,user 12 is constructively notified that their user ID, password, and/or certificate were compromised. -
Session restriction process 72 may be interfaced with userrecord maintenance process 48 so that in the event that multiples users log in (or attempt to log in) using a single user ID, userrecord maintenance process 48 disables or deletes that user ID. This is done on the premise that the confidentiality of that user ID was compromised and, therefore, a new user ID should be created for that user. - Referring to FIG. 2, a
method 100 for regulating the application functionality and network access of a user is shown. An application permission token is assigned 102 to one or more application functionalities of an application running on a server. By regulating 104 the access the user has to these application permission tokens, the access rights of the user are defined in that a user who has access to an application permission token is granted access to its related application functionality. - These application permission tokens of the application and the application access rights of the user are stored106 on a database. An administrator defines 108 the application functionalities of an application. An application database record is maintained 110 for each application running on the server. Further, an application database record is also maintained 112 for each application permission token assigned to the application functionalities of the application running on the server. Additionally, a user database record is maintained for each user who has access to the system.
- Newly-added users are authenticated116 by requiring the newly-added user to prove their identity. Once their identity is proven, an authenticity certificate is produced for and provided to 118 the newly-added user. This authenticity certificate identifies the newly-added user and includes a unique encryption key for encrypting 120 the data communicated between the user's computer and the server. A user is authenticated 122 upon log in by comparing the information encoded within the authenticity certificate to information stored on the database.
- A newly-added user may be required124 to provide personal information prior to the creation of the authenticity certificate. Additionally, the administrator may require 126 that the personal information entered by the user be approved prior to the creation of the authenticity certificate. A user group is maintained 128 such that all members of the user group have equivalent access to the permission tokens assigned by the administrator.
- A folder permission token is assigned130 to one or more folders within a directory structure. These folder permission tokens are then used to regulate the access of a user to the particular folders within the directory structure. This defines the folder access rights of the user, such that a user who has access to a folder permission token is granted access to its related folder. A folder token database record is produced 132 for each folder permission token assigned to the folders within the directory structure.
- A number of embodiments of the invention have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the invention. Accordingly, other embodiments are within the scope of the following claims.
Claims (36)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/175,942 US20030079136A1 (en) | 2001-08-21 | 2002-06-20 | Security framework |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US31395401P | 2001-08-21 | 2001-08-21 | |
US10/175,942 US20030079136A1 (en) | 2001-08-21 | 2002-06-20 | Security framework |
Publications (1)
Publication Number | Publication Date |
---|---|
US20030079136A1 true US20030079136A1 (en) | 2003-04-24 |
Family
ID=26871705
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/175,942 Abandoned US20030079136A1 (en) | 2001-08-21 | 2002-06-20 | Security framework |
Country Status (1)
Country | Link |
---|---|
US (1) | US20030079136A1 (en) |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040001101A1 (en) * | 2002-06-27 | 2004-01-01 | Koninklijke Philips Electronics N.V. | Active window switcher |
US20040059587A1 (en) * | 2002-09-25 | 2004-03-25 | Astle Robert L. | Method and apparatus for associating privileges with people in an organization |
DE102004003593A1 (en) * | 2004-01-15 | 2005-08-04 | Deutsche Telekom Ag | Sending user-specific data based on WAP or HTML protocols involves determining characteristics of user/terminal sending URL information, analyzing for tokens, replacing with user/equipment-specific data for sending to service provider |
US20070033588A1 (en) * | 2005-08-02 | 2007-02-08 | Landsman Richard A | Generic download and upload functionality in a client/server web application architecture |
US20070033569A1 (en) * | 2005-08-02 | 2007-02-08 | Davidson James G | Client/server web application architectures for offline usage, data structures, and related methods |
US20070192610A1 (en) * | 2006-02-10 | 2007-08-16 | Chun Dexter T | Method and apparatus for securely booting from an external storage device |
US20080021901A1 (en) * | 2006-07-19 | 2008-01-24 | Microsoft Corporation | Relational lockdown for an item store |
US20080263656A1 (en) * | 2005-11-29 | 2008-10-23 | Masaru Kosaka | Device, System and Method of Performing an Administrative Operation on a Security Token |
US20090319488A1 (en) * | 2006-07-10 | 2009-12-24 | Gemalto | Server for managing anonymous confidential data |
US20100192193A1 (en) * | 2009-01-23 | 2010-07-29 | Microsoft Corporation | Security restriction techniques for browser-based applications |
US20130067597A1 (en) * | 2011-09-14 | 2013-03-14 | Samsung Electronics Co., Ltd. | System for controlling access to user resources and method thereof |
US20140165155A1 (en) * | 2012-12-06 | 2014-06-12 | Qualcomm Incorporated | Management of network devices utilizing an authorization token |
US20140366108A1 (en) * | 2003-02-13 | 2014-12-11 | Microsoft Corporation | Digital Identity Management |
US20160085977A1 (en) * | 2014-09-18 | 2016-03-24 | Samsung Electronics Co., Ltd. | Token-based scheme for granting permissions |
US20180060595A1 (en) * | 2016-08-31 | 2018-03-01 | Vmware, Inc. | Extensible token-based authorization |
CN108123930A (en) * | 2016-11-28 | 2018-06-05 | Ssh通信安全公司 | Access the host in computer network |
US20180262504A1 (en) * | 2017-03-08 | 2018-09-13 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US20190007415A1 (en) * | 2017-06-29 | 2019-01-03 | Microsoft Technology Licensing, Llc | Access control manager |
US10361852B2 (en) | 2017-03-08 | 2019-07-23 | Bank Of America Corporation | Secure verification system |
US10374808B2 (en) | 2017-03-08 | 2019-08-06 | Bank Of America Corporation | Verification system for creating a secure link |
US10432595B2 (en) | 2017-03-08 | 2019-10-01 | Bank Of America Corporation | Secure session creation system utililizing multiple keys |
US10635828B2 (en) | 2016-09-23 | 2020-04-28 | Microsoft Technology Licensing, Llc | Tokenized links with granular permissions |
US10733151B2 (en) | 2011-10-27 | 2020-08-04 | Microsoft Technology Licensing, Llc | Techniques to share media files |
US10909045B2 (en) * | 2018-12-20 | 2021-02-02 | Arm Limited | System, method and apparatus for fine granularity access protection |
US11588822B2 (en) * | 2017-10-19 | 2023-02-21 | Beijing Jingdong Shangke Information Technology Co., Ltd. | Right control method and apparatus for terminal device |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6405318B1 (en) * | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
US6728884B1 (en) * | 1999-10-01 | 2004-04-27 | Entrust, Inc. | Integrating heterogeneous authentication and authorization mechanisms into an application access control system |
US6785666B1 (en) * | 2000-07-11 | 2004-08-31 | Revenue Science, Inc. | Method and system for parsing navigation information |
-
2002
- 2002-06-20 US US10/175,942 patent/US20030079136A1/en not_active Abandoned
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6405318B1 (en) * | 1999-03-12 | 2002-06-11 | Psionic Software, Inc. | Intrusion detection system |
US6728884B1 (en) * | 1999-10-01 | 2004-04-27 | Entrust, Inc. | Integrating heterogeneous authentication and authorization mechanisms into an application access control system |
US6785666B1 (en) * | 2000-07-11 | 2004-08-31 | Revenue Science, Inc. | Method and system for parsing navigation information |
Cited By (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040001101A1 (en) * | 2002-06-27 | 2004-01-01 | Koninklijke Philips Electronics N.V. | Active window switcher |
US20040059587A1 (en) * | 2002-09-25 | 2004-03-25 | Astle Robert L. | Method and apparatus for associating privileges with people in an organization |
US8473321B2 (en) * | 2002-09-25 | 2013-06-25 | Hewlett-Packard Development Company, L.P. | Method and apparatus for associating privileges with people in an organization |
US20140366108A1 (en) * | 2003-02-13 | 2014-12-11 | Microsoft Corporation | Digital Identity Management |
US9477832B2 (en) * | 2003-02-13 | 2016-10-25 | Microsoft Technology Licensing, Llc | Digital identity management |
DE102004003593A1 (en) * | 2004-01-15 | 2005-08-04 | Deutsche Telekom Ag | Sending user-specific data based on WAP or HTML protocols involves determining characteristics of user/terminal sending URL information, analyzing for tokens, replacing with user/equipment-specific data for sending to service provider |
DE102004003593B4 (en) * | 2004-01-15 | 2016-05-12 | Deutsche Telekom Ag | Method for transmitting user-specific data based on the WAP or HTML protocol |
US20070033588A1 (en) * | 2005-08-02 | 2007-02-08 | Landsman Richard A | Generic download and upload functionality in a client/server web application architecture |
US7594003B2 (en) | 2005-08-02 | 2009-09-22 | Aol Llc | Client/server web application architectures for offline usage, data structures, and related methods |
US9641594B2 (en) | 2005-08-02 | 2017-05-02 | Aol Inc. | Generic download and upload functionality in a client/server web application architecture |
US9043783B2 (en) | 2005-08-02 | 2015-05-26 | Aol Inc. | Generic download and upload functionality in a client/server web application architecture |
US20070033569A1 (en) * | 2005-08-02 | 2007-02-08 | Davidson James G | Client/server web application architectures for offline usage, data structures, and related methods |
US8601475B2 (en) | 2005-08-02 | 2013-12-03 | Aol Inc. | Download and upload of email messages using control commands in a client/server web application |
US20080263656A1 (en) * | 2005-11-29 | 2008-10-23 | Masaru Kosaka | Device, System and Method of Performing an Administrative Operation on a Security Token |
US8387125B2 (en) * | 2005-11-29 | 2013-02-26 | K.K. Athena Smartcard Solutions | Device, system and method of performing an administrative operation on a security token |
US20070192610A1 (en) * | 2006-02-10 | 2007-08-16 | Chun Dexter T | Method and apparatus for securely booting from an external storage device |
US8386518B2 (en) * | 2006-07-10 | 2013-02-26 | Gemalto Sa | Server for managing anonymous confidential data |
US20090319488A1 (en) * | 2006-07-10 | 2009-12-24 | Gemalto | Server for managing anonymous confidential data |
US8250094B2 (en) * | 2006-07-19 | 2012-08-21 | Microsoft Corporation | Relational lockdown for an item store |
US20080021901A1 (en) * | 2006-07-19 | 2008-01-24 | Microsoft Corporation | Relational lockdown for an item store |
US20100192193A1 (en) * | 2009-01-23 | 2010-07-29 | Microsoft Corporation | Security restriction techniques for browser-based applications |
US20130067597A1 (en) * | 2011-09-14 | 2013-03-14 | Samsung Electronics Co., Ltd. | System for controlling access to user resources and method thereof |
US10733151B2 (en) | 2011-10-27 | 2020-08-04 | Microsoft Technology Licensing, Llc | Techniques to share media files |
US9264413B2 (en) * | 2012-12-06 | 2016-02-16 | Qualcomm Incorporated | Management of network devices utilizing an authorization token |
US20140165155A1 (en) * | 2012-12-06 | 2014-06-12 | Qualcomm Incorporated | Management of network devices utilizing an authorization token |
US20160085977A1 (en) * | 2014-09-18 | 2016-03-24 | Samsung Electronics Co., Ltd. | Token-based scheme for granting permissions |
US10176333B2 (en) * | 2014-09-18 | 2019-01-08 | Samsung Electronics Co., Ltd. | Token-based scheme for granting permissions |
US20180060595A1 (en) * | 2016-08-31 | 2018-03-01 | Vmware, Inc. | Extensible token-based authorization |
US10452328B2 (en) * | 2016-08-31 | 2019-10-22 | Vmware, Inc. | Extensible token-based authorization |
US10635828B2 (en) | 2016-09-23 | 2020-04-28 | Microsoft Technology Licensing, Llc | Tokenized links with granular permissions |
CN108123930A (en) * | 2016-11-28 | 2018-06-05 | Ssh通信安全公司 | Access the host in computer network |
US10425417B2 (en) * | 2017-03-08 | 2019-09-24 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10374808B2 (en) | 2017-03-08 | 2019-08-06 | Bank Of America Corporation | Verification system for creating a secure link |
US10432595B2 (en) | 2017-03-08 | 2019-10-01 | Bank Of America Corporation | Secure session creation system utililizing multiple keys |
US10361852B2 (en) | 2017-03-08 | 2019-07-23 | Bank Of America Corporation | Secure verification system |
US20180262504A1 (en) * | 2017-03-08 | 2018-09-13 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10812487B2 (en) | 2017-03-08 | 2020-10-20 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10848492B2 (en) | 2017-03-08 | 2020-11-24 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US10862892B2 (en) | 2017-03-08 | 2020-12-08 | Bank Of America Corporation | Certificate system for verifying authorized and unauthorized secure sessions |
US20190007415A1 (en) * | 2017-06-29 | 2019-01-03 | Microsoft Technology Licensing, Llc | Access control manager |
US10764299B2 (en) * | 2017-06-29 | 2020-09-01 | Microsoft Technology Licensing, Llc | Access control manager |
US11588822B2 (en) * | 2017-10-19 | 2023-02-21 | Beijing Jingdong Shangke Information Technology Co., Ltd. | Right control method and apparatus for terminal device |
US10909045B2 (en) * | 2018-12-20 | 2021-02-02 | Arm Limited | System, method and apparatus for fine granularity access protection |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20030079136A1 (en) | Security framework | |
US20210073806A1 (en) | Data processing system utilising distributed ledger technology | |
EP2893686B1 (en) | Ldap-based multi-customer in-cloud identity management system | |
US7356840B1 (en) | Method and system for implementing security filters for reporting systems | |
US7231661B1 (en) | Authorization services with external authentication | |
US8959613B2 (en) | System and method for managing access to a plurality of servers in an organization | |
US6161139A (en) | Administrative roles that govern access to administrative functions | |
KR100920871B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
US7206851B2 (en) | Identifying dynamic groups | |
US8015596B2 (en) | Shared credential store | |
US7516134B2 (en) | Controlling access to a database using database internal and external authorization information | |
US20020112155A1 (en) | User Authentication | |
US8307406B1 (en) | Database application security | |
US8051168B1 (en) | Method and system for security and user account integration by reporting systems with remote repositories | |
CA2339946A1 (en) | Access control using attributes contained within public key certificates | |
WO2002005103A1 (en) | Providing data to applications from an access system | |
WO2002005092A2 (en) | Localized access | |
WO2002005487A1 (en) | A system for logging access system events and providing identity management and access management for a network | |
CN107145531B (en) | Distributed file system and user management method of distributed file system | |
US7801967B1 (en) | Method and system for implementing database connection mapping for reporting systems | |
US9912642B1 (en) | Authorization path secured electronic storage system | |
Miltchev et al. | Secure and flexible global file sharing | |
Cisco | User Databases | |
Cisco | User Databases | |
US20100043049A1 (en) | Identity and policy enabled collaboration |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: NASDAQ STOCK MARKET, INC., THE, DISTRICT OF COLUMB Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ERICTA, EMMANUEL;SMITHWICK, SHARON;REEL/FRAME:013624/0605;SIGNING DATES FROM 20021019 TO 20021127 |
|
AS | Assignment |
Owner name: JP MORGAN CHASE BANK, N.A.,NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:017222/0503 Effective date: 20051208 Owner name: JP MORGAN CHASE BANK, N.A., NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:017222/0503 Effective date: 20051208 |
|
AS | Assignment |
Owner name: THE NASDAQ STOCK MARKET, INC.,NEW YORK Free format text: TERMINATION AND RELEASE AGREEMENT;ASSIGNOR:JPMORGAN CHASE BANK N.A., AS ADMINISTRATIVE AGENT;REEL/FRAME:017492/0228 Effective date: 20060418 Owner name: THE NASDAQ STOCK MARKET, INC., NEW YORK Free format text: TERMINATION AND RELEASE AGREEMENT;ASSIGNOR:JPMORGAN CHASE BANK N.A., AS ADMINISTRATIVE AGENT;REEL/FRAME:017492/0228 Effective date: 20060418 |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A. AS COLLATERAL AGENT,NEW YORK Free format text: SECURITY AGREEMENT;ASSIGNOR:THE NASDAQ STOCK MARKET, INC.;REEL/FRAME:017507/0308 Effective date: 20060418 Owner name: BANK OF AMERICA, N.A. AS COLLATERAL AGENT, NEW YOR Free format text: SECURITY AGREEMENT;ASSIGNOR:THE NASDAQ STOCK MARKET, INC.;REEL/FRAME:017507/0308 Effective date: 20060418 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: THE NASDAQ STOCK MARKET, INC., NEW YORK Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BANK OF AMERICA, N.A.;REEL/FRAME:019943/0733 Effective date: 20070928 Owner name: THE NASDAQ STOCK MARKET, INC.,NEW YORK Free format text: RELEASE OF SECURITY INTEREST IN PATENTS;ASSIGNOR:BANK OF AMERICA, N.A.;REEL/FRAME:019943/0733 Effective date: 20070928 |
|
AS | Assignment |
Owner name: NASDAQ OMX GROUP, INC., THE, MARYLAND Free format text: CHANGE OF NAME;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:020747/0105 Effective date: 20080227 Owner name: NASDAQ OMX GROUP, INC., THE,MARYLAND Free format text: CHANGE OF NAME;ASSIGNOR:NASDAQ STOCK MARKET, INC., THE;REEL/FRAME:020747/0105 Effective date: 20080227 |